File System Filter MiniDriver - file

I have a Program.exe that I need to intercept. That specific program uses CreateFile & ReadFile, however I need to intercept ReadFile function.
I thought about writing my own File System Filter MiniDriver.
I found this link by Googling: http://msdn.microsoft.com/en-us/library/ff551862(v=vs.85)
It seems that is the correct way to do this. However last time I did any driver development, I remember that >= VISTA did not allow drivers to be installed easily. You needed to acquire "Signed" priviledge from Microsoft(you had to pay).
My question is that, can I create Simple File System Filter Driver for my USB stick and intercept any readings from ReadFile()? All I want to do is to allow ReadFile by a specific process.
1) I need this legally
2) I need to avoid unsigned drivers, so the driver would always work.
Will one minifilter driver work for every OS starting from XP?!

Prohibit of loading unsigned drivers is exist only on x64 versions of windows >= vista
On x64 versions you can
1) Switch to test mode to turm off this restriction
2) Add test sertificate as root to certificate storage
But if you want distribute this driver you must bay certificate.

Yes, minifilter is the preferred way for this. You can intercept system calls/IRPs and allow-deny any of them depending upon your criteria.
Also, same driver code can be used for multiple OSes, however you need to build for specific Os.
WDK 7 can be used to build drivers from XP to Windows 7.
Also, as izlesa suggested, you need to sign for x64 windows higher than vista.

Related

How to synchronize code files on windows with WSL/linux?

Basically I have some C/C++ code that I need to build and debug on a Linux machine. Unfortunately, my windows laptop doesn't have enough free hard space to install some Linux dist nor does it have enough free RAM to comfortably run VM.
Until now, I dealt with it rather comfortably using WSL, but the scale was rather small. It was easy to edit and debug 2-3 .c files through CLI and gdb, but it became really annoying on a large scale projects.
I want something simple as "edit code in windows IDE [X], compile it on remote Linux/WSL (the project uses Makefiles), and preferably debug it via gdb".
VS has something close to what I want, but it can't deal with existing Linux projects. It needs to create a new configuration which is alien to the project's Makefile.
I know this question is a bit old, but I think the solution is to make a symlink between your WSL folder and the Window's folder. This is how I handled it for a Ubuntu-20.04 WSL:
Access PowerShell in Administrator mode
Type cmd.exe in the PowerShell
Once cmd.exe is opened, type mklink /d C:\<path_to_your_Windows_folder> \\wsl$\Ubuntu-20.04\home\<your_user>\<path_to_your_WSL_folder>
EDIT
This was tested under Windows 10 Version 2004 with WSL2
I'm unsure about C and C++ but it sounds like this is exactly the same as how i work in node and javascript every day.
I checkout my code using git inside WSL to a location like /mnt/c/code/myproject. Then using sublime/VS code/webstorm i edit the files in windows in the location c:\code\myproject this works really well and have been doing this every day for over a year.
Things to be aware of are that you need to ensure that your editor of choice saves files with linux line endings and that all command line operations are done inside WSL.
Please see this article to see the differences between windows and linux files and how this works inside the WSL.
I want something simple as "edit code in windows IDE , compile it on remote linux/WSL
You will have something as simple as that.
Only with Windows 19.03 though:
See "Updated WSL in Windows 10 version 1903 lets you access Linux files from Windows"
Microsoft's Craig Loewen says:
In the past, creating and changing Linux files from Windows resulted in losing files or corrupting data. Making this possible has been a highly requested and long anticipated feature. We're proud to announce you can now easily access all the files in your Linux distros from Windows.
So how does this work? He goes on to explain:
To put it briefly: a 9P protocol file server facilitates file related requests, with Windows acting as the client.
We've modified the WSL init daemon to include a 9P server. This server contains protocols that support Linux metadata, including permissions.
There is a Windows service and driver that acts as the client and talks to the 9P server (which is running inside of a WSL instance).
Client and server communicate over AF_UNIX sockets, since WSL allows interop between a Windows application and a Linux application using AF_UNIX as described in this post.
Warning:
The old rules still apply, you should NOT access your Linux files inside of the AppData folder!
If you try to access your Linux files through your AppData folder, you are bypassing using the 9P server, which means that you will not have access to your Linux files, and you could possibly corrupt your Linux distro.

How to get harddrive serial number in C or asm without wmi

how to get harddrive serial number(not the volume # wich change at each reinstall of windows) in C or asm, without wmi (cause wmi required admin right). Any clue would be helpfull cause right now i found nothing on web in C without wmi, in dayss of searching... Thank you.
EDIT : For windows system
Please try my open source tool, DiskId32, which also has the source code at http://www.winsim.com/diskid32/diskid32.html . I only have an Win32 version at this time. Maybe some day I will add a Win64 version.
Hard drive serial number and other information about the harddrive like firmware version, etc. can only be obtained using SMART as far as I know and that requires special ioctls to the the block device node (/dev/sda or /dev/sdb) which is usually not available to a regular user.
I know there is a tool called smartctl which does exactly this:
sudo smartctl -i /dev/sda
Similar tools exist (hdparm, lshw, etc.) as well.
As far as trying to figure it out this info without being a privileged user, it might be possible only if it is exposed via /proc or /sys which I highly doubt is being done in the current SATA block device drivers.

How to generate .exe drivers instead than .sys?

I'm new in kernel mode world. I've tried to write a simple "hello world" driver in a Windows 7 virtual machine, I'm using WDK 7600.16385.1 -> x86 Free Build Environment for compilation, when it does, the generated driver is a .sys file extension, so I'd like to know if is possible to set up the compiler to generate an .exe file, so thereby a user can run it by double-clicking the executable.
I thought that perhaps, when I install some driver and the "setup" is a .exe file, in fact it isn't really the driver, it is a program that installs the driver (in .sys extension) on your computer, so the .exe file is just the installer and not the driver itself. But I am not sure if this is true.
If you could give me some information about generating a driver for Windoes, I'll be eternally grateful!
Thanks in advance!
The .exe files you're looking at are, indeed, installers. There are a number of tools available for creating installers; NSIS is one of the more popular options.
.exe marks executable files for Windows user mode. The format of user mode and kernel mode "executables" differs a lot. In particular, there is no such thing as user running the kernel executible. Kernel drivers aren't directly accessible to user mode; communication is allowed only via OS-defined interfaces, i.e. user-mode component must perform a dedicated OS call which will be routed to the kernel component by the OS. There are many more differences between kernel and user modes but this particular one explains why running kernel driver by user isn't possible (and shouldn't be).
As for your second question, yes, these .exe files are installers.

Remove oem.inf files corresponding to hardware id

I'm installing my driver using dpinst.exe. But before installing my driver I wish to delete all the oem files from inf directory corresponding to my hardware ID.
I want to do this programatically. Please suggest me a way to do this.
**Update :**
I want to do this without device connected as I may pre-install the driver before connecting the device. My device is PNP device.
Use SetupDiEnumDeviceInfo and SetupDiGetDeviceRegistryProperty to match your hardware ID
Use SetupDiOpenDevRegKey and RegQueryValueEx to read the corresponding InfPath
Call SetupUninstallOEMInf
PhilMY has already posted an excellent answer, which is still relevant. However, it is more than ten years old now, so I wanted to update it with more recent/recommended APIs:
Use SetupDiEnumDeviceInfo() and SetupDiGetDeviceRegistryProperty() to match your hardware ID
To get the OEM INF path, SetupDiGetDriverInfoDetail() can be used instead of reading the registry directly
Call DiUninstallDriver() on the resulting INF path (Microsoft recommends using it instead of SetupUninstallOEMInf(). In addition, it returns the needReboot flag, which may be useful in some scenarios.)
#2 is a little tricky as it requires SP_DRVINFO_DATA on input. To acquire it, one typically needs to call SetupDiBuildDriverInfoList() and SetupDiEnumDriverInfo() to iterate through all installed drivers for a particular device (use SPDIT_COMPATDRIVER flag to enumerate 3rd-party drivers).
It has a significant advantage in scenarios when multiple drivers are suitable for the given device, and this approach allows one to choose exactly which driver to uninstall.

Windows display driver hooking, 64 bit

Once I've written a sort of a driver for Windows, which had to intercept the interaction of the native display driver with the OS. The native display driver consists of a miniport driver and a DLL loaded by win32k.sys into the session space. My goal was to meddle between the win32k.sys and that DLL. Moreover, the system might have several display drivers, I had to hook them all.
I created a standard WDM driver, which was configured to load at system boot (i.e. before win32k). During its initialization it hooked the ZwSetSystemInformation, by patching the SSDT. This function is called by the OS whenever it loads/unloads a DLL into the session space, which is exactly what I need.
When ZwSetSystemInformation is invoked with SystemLoadImage parameter - one of its parameters is the pointer to a SYSTEM_LOAD_IMAGE structure, and its ModuleBase is the module base mapping address. Then I analyze the mapped image, patch its entry point with my function, and the rest is straightforward.
Now I need to port this driver to a 64-bit Windows. Needless to say it's not a trivial task at all. So far I found the following obstacles:
All drivers must be signed
PatchGuard
SSDT is not directly exported.
If I understand correctly, PatchGuard and driver signing verification may be turned off, the driver should be installed on a dedicated machine, and we may torture it the way we want.
There're tricks to locate the SSDT as well, according to online sources.
However recently I've discovered there exists a function called PsSetLoadImageNotifyRoutine. It may simplify the task considerably, and help avoid dirty tricks.
My question are:
If I use PsSetLoadImageNotifyRoutine, will I receive notifications about DLLs loaded into the session space? The official documentation talks about "system space or user space", but does "system space" also includes the session space?
Do I need to disable the PatchGuard if I'm going to patch the mapped DLL image after it was mapped?
Are there any more potential problems I didn't think about?
Are there any other ways to achieve what I want?
Thanks in advance.
Do I need to disable the PatchGuard if I'm going to patch the mapped DLL image after it was mapped?
To load any driver on x64 it must be signed. With admin rights you can disabled PatchGuard and I personally recommend using DSEO, a GUI application made for this. Or you can bypass PatchGuard by overwriting the MBR (or BIOS), although this is typically considered a bootkit - malware.

Resources